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DETAILED ACTION 
Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 1 02 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

Claims 1-3, 5, 6, 8 and 9 are rejected under 35 U.S.C. 103(a) as being 

unpatentable over Comay et al (6,363,489 B1 ; hereinafter Comay) in view of Malan 

et al (2002/0035698 A1 ; hereinafter Malan). 

Regarding claims 1 , 6 and 9, Comay discloses: 

A security system on a network, comprising (see Fig. 1): intrusion detecting 
means for detecting an intrusion through an analysis of a packet, adding intrusion 
information associated with the intrusion into the packet, creating an active packet and 
transmitting the active packet to an address of an intruder which transmitted the packet 
(see, for example, col. 2, lines 40-51; col. 5, lines 15-31; col. 5, lines 32-60, wherein 
changing the destination address to the source address corresponds to the recited 
adding intrusion information associated with the intrusion into the packet). 

However, Comay does not expressly discloses routing means for tracking the 
intrusion, for all routes through which the intruder passed, based on the active packet 
transmitted thereto from the intrusion detecting means, and filtering the packet 
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associated with the intruder, thereby isolating the intruder, wherein the routing means 
includes active nodes on a local networks of a user to be attacked and the intruder. 

Malan teaches a system that protects a publicly accessible network services from 
undesirable network traffic in real-time (see, for example, Fig. 2; [0022]-[0027]). Malan 
teaches that the arriving packets are analyzed and filtered (see, for example, [0066] and 
[0072]). Malan further teaches a mechanism that backtrack the path that incoming 
packets have traveled through all the routers from the beginning to end to pinpoint the 
location of the intruder and filtering the packets from the attacker (see, for example, 
Figs. 6,10-15; [0091]-[0093]; [0096]; [0102]; [0109]). Malan also teaches that there are 
active routers on both protected network and the network of the intruder (see, for 
example, Fig. 10). 

Therefore, it would be obvious to a person of ordinary skill in the art at the time 
the invention was made to implement a backtrack and filtering means as taught in 
Malan in the system of Comay to block an intruder at any layer or depth of a transaction 
and as close as possible to its original source (Malan, [0014] and [0098]). 

Regarding claim 2, Malan discloses: 

The system as recited in claim 1 , wherein the intrusion detecting means includes 
means for recognizing a local network from which the intrusion is originated, 

during the detection of the intrusion (see, for example, Fig. 8; [0055]; [0094]; [0107]); 

and 
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means for notifying the intrusion of a filtering means in a local network to which 
the user to be attacked belongs and that in a local network to which the intruder belongs 
(see, for example, [0053]; [0054]; [0072]; [0096]). 

Regarding claim 3, Comay discloses: 

The system as recited in claim 2, wherein the intrusion detecting means includes: 

collection means for collecting packets which pass therethrough (see, for 
example; col. 4, lines 42-60, where the firewall at the entry point corresponds to the 
recited collection means); 

analysis means for receiving the packet from the collecting means and 
determining whether the packet is one associated with intrusion or an active packet 
(see, for example; col. 5, lines 15-30, where the intrusion detection module corresponds 
to the recited analysis means); and 

processing means for processing the intrusion information or the active packet, 
which is received from the analysis means (see, for example; col. 5, lines 31-60, where 
the intrusion diversion module corresponds to the recited processing means). 

Regarding claim 5, Comay discloses: 

The system as recited in claims 1 , wherein the routing means includes: filtering 
means for determining whether the packet is transmitted or not (see, for example, Fig. 
2, step 3, wherein the scanning corresponds to the recited filtering); 



Application/Control Number: 09/987,933 Page 5 

Art Unit: 2132 

classifying means for determining whether the packet from the filtering means is 
an active packet or an internet protocol (IP) packet, if the packet is the IP packet, 
forwarding the packet (see, for example, Fig. 2, steps 6, 7b and 8a, wherein the packet 
is forwarded if it is not associated with an intruder which corresponds the recited IP 
packet), and if the packet is the active packet, transmitting the packet to be executed at 
an active packet execution environment (see, for example, Fig. 2, steps 6, 7a and 8b, 
wherein the packet is determined that associated with an intruder which corresponds 
the recited active packet); and 

means, if the packet classified by the classifying means is one associated with 
the intrusion information, for adding the packet information to be filtered to the filtering 
means and forwarding the packet through an IP forwarding engine (see, for example, 
col. 6, lines 39-67 and Fig. 2, steps 6, 7a and 8b, wherein the packet information 
associated with an intruder is stored at the hostile DB). 

Regarding claim 8, Comay discloses: 

The method as recited in claim 6, wherein the step b) includes the steps of: 
b1) classifying, if the packet inputted to the local network border router is one to 
be transmitted by filtering, whether the packet is an active packet or an Internet protocol 
(IP) packet (see, for example, Fig. 2, steps 6, 7a, 8b or 6, 7b and 8a, wherein the 
packets are determined associated with an intruder or not which corresponds the 
recited active or IP packet); 
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b2) if the packet is the IP packet, forwarding the packet (see, for example, Fig. 2, 
steps 6, 7b and 8a, wherein the packet is forwarded if it is not associated with an 
intruder which corresponds the recited IP packet); and 

b3) if the packet is the active packet, determining, whether the packet is one 
associated with the intrusion information, and if so, storing the intrusion information and 
forwarding the packet (see, for example, col. 6, lines 39-67 and Fig. 2, steps 6, 7a and 
8b, wherein the packet information associated with an intruder is stored at the hostile 
DB). 

Allowable Subject Matter 

Claims 4 and 7 are objected to as being dependent upon a rejected base claim, 
but would be allowable if rewritten in independent form including all of the limitations of 
the base claim and any intervening claims. 

Conclusion 

The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure. 

US Pub. No. 2002/01 88864 A1 to Jackson. 
US Pub. No. 20020038339 A1 to Xu. 
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Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Abdulhakim Nobahar whose telephone number is 571- 
272-3808. The examiner can normally be reached on M-T 8-6. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gilberto Barron can be reached on 571-272-3799. The fax phone number 
for the organization where this application or proceeding is assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 
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